Voice biometrics: coming to a security system near you

More secure than fingerprints and good enough to catch scammers: join us for a …

Real-world implementations

Trial deployments are still the norm, but banks like ABN AMRO have already moved beyond the trial stage and are rolling out voice biometrics in an effort to boost security and lower costs. Zsolt Kadar, an IT project manager for the bank, said that the main customer call center in the Netherlands serves 4 million Dutch customers, and those 4 million customers make 35 million calls a year to the bank. When customers call, they are required to enter a five-digit code to verify their identities—essentially, it's a PIN number, but it's a different PIN number from the one used for ATM transactions. This makes the system more secure, but customers keep forgetting or losing the code since they use it so infrequently. This has happened even to Kadar. And when it happens, the bank has to issue a new telephone code—an expensive proposition.

Once a person's voice is enrolled in a voice biometrics security system, the need for this extra number goes away. The bank saves money, and customers are less frustrated—especially important for a country like the Netherlands, where the average customer now goes to the local branch on average only once a year.

Most banking is now done by phone, Internet, and ATM, and criminals—like electrical current—will always choose the path of least resistance. It doesn't matter how hardened a bank's ATM security measures are or how robust the SSL system it uses on the Internet is if phone banking remains less secure. So ABN AMRO went shopping for a voice biometric system that would help them boost security and eliminate the telephone code. They settled on a system from Voice Vault that showed good results at handling many types of phones. The system measures 117 characteristics of the human voice, can detect recordings, and uses a dynamic voice model that updates the stored voiceprint after every successful verification—good because voices can change over time.

The bank then embarked on the largest worldwide experiment with voice biometrics, using 1,450 people to make more than 30,000 calls to the test system. The testers called from every sort of phone imaginable, in every setting. They called when they had colds; they had family members call and attempt to impersonate them; they used recordings of their own voice to try and fool the system. After tuning the software for ABN AMRO's particular needs, Voice Vault achieved an EER of under one percent—and that's without factoring in the secret question.

When testers first called into the system, they were "enrolled": that is, several voice samples were taken, and a voiceprint was generated. The testers also created their own secret questions, recording both a question and an answer. When they called back, the system prompted them to say their account number and to answer the secret question. The new voice sample was checked against the stored voiceprint information in real time and the answer to the secret question was checked against the stored sample. Imposters who knew the account number, and the answer to the question still failed the voice check. Only if the account number and secret question were correct and the voice matched was the caller allowed to proceed.

Are customers ready for this technology? Kadar believes that they are. ABN AMRO did a survey of those who tested the system and found that 83 percent of them preferred voice verification to the older five digit code. 99 percent said they would feel comfortable using the system to access account information, and 73 percent had no problem using it for money transfers. Based on its results, the bank is deploying the system in the Netherlands on a voluntary basis this year and next; customers who don't feel comfortable using it can continue to use the five-digit code for now.

Compliance concerns

Voice systems aren't just getting a boost from their cost and security; they're also getting a boost due to regulatory pressure. In the US, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to banks in late 2005 (PDF) on the use of security in Internet environments. The group later clarified that this guidance extended to telephone banking systems. Jeffrey Kopchik, a senior policy analyst at the FDIC, was on hand at the conference to explain the guidance in a bit more detail.

While the FFIEC did not mandate multifactor authentication, the guidance does require that financial institutions use more security than a user ID and password combination. Voice verification is an excellent way to comply with the guidance, but Kopchik pointed out that such systems cannot remain optional or they would defeat the whole point of the new rules; banks must require users to shift to sign-in methods that meet the more stringent authentication requirements.

But voice verification systems are only as good as their enrollment procedures. It does no good for a system to be hyper-accurate in matching callers to stored voiceprints if the original voiceprint was not made from the right person. This poses a challenge that different institutions meet in different ways; ABN AMRO relies on a small electronic gadget that customers receive in the mail or at a local branch. When they insert their bank card into the top of the device, a string of numbers appear on the small screen. They then use these numbers to verify themselves to the bank.

Once enrollment in the system is completed, this step does not have to be done again, but what happens to those people who can't enroll? Every voice verification system comes across certain users (called "goats" at some firms) whose voices simply cannot be turned into voiceprints by the algorithms. And then there are those who can't hear or can't speak; all telephone-based systems need to have some alternate means of communicating with these customers.

Fraud busters

Governments not only issue guidance on security protocols, but they use them, too. In Australia, the national government has already implemented voice verification systems in multiple agencies. Politicians who needed to access sensitive documents from secure servers in a regular basis have problems remembering their passwords, so a voice verification system was ruled out in the Parliament House that allows the prime minister and cabinet members to access documents with their voices.

Dr. Summerfield, the University of Canberra researcher, also pointed out that voice verification can be used for a different kind of fraud detection. A voice biometric system was installed for Australian social security agency Centrelink a few years back, as the agency handles over 100,000 phone calls per day at the largest call center in the southern hemisphere. 85 percent of those calls need to be authenticated, and under the old system, this was taking too much time.

Centrelink installed a voice verification system simply to authenticate users, but once it was in place, realized that it could also be used to look for particular kinds of fraud: speakers who change from one reporting period to the next, or a single speaker accessing multiple accounts (in order to gain multiple benefits). An initial sweep of the data that was already being gathered for authentication purposes found 20 pairs of "non-compliant speakers"—two or more people quoting the same ID number. More serious were the 200 cases of suspected ID fraud, where one person knew multiple ID numbers and was attempting to access benefits for each of them.

Older systems that rely than punching numbers into a telephone keypad or that forced people to speak with a live operator could not tell if different people were calling up on the same account each month, or if the same person was accessing multiple accounts. The new biometric system records the necessary information as part of its regular duties, and all that's left is to run searches against the database. Centrelink's conclusion was that the system was very useful for fraud detection, and it may continue to use it for this purpose.